Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
255
Views
0
Helpful
2
Replies

Problems moving from 3.51 to 4.0.1

Go to solution
pot51e
Level 1
Level 1

‎11-04-2004 10:15 AM - edited ‎03-09-2019 09:20 AM

We're just migrating from 3.5.1 client to 4.0.1, and we are now getting this log message when we try to connect:-

1 15:02:37.688 11/04/04 Sev=Warning/3 IKE/0xA300004B

Received a NOTIFY message with an invalid protocol id (0)

We are using a PIX515 with preshared key.We have ISAKMP policies covering DES/SHA/2 and DES/MD5/1 & 2.

Preshared key is fine, and the RADIUS server is authenticating the user fine, but it gets stuck when "Securing Communications Channel...."

Our old clients still work fine.

Can any Guru's help me out please?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎11-07-2004 08:04 PM

The PIX crypto debug would be more useful here, as it will probably tell you exactly what's going wrong. The only thing that comes to mind is that we removed des/sha support in 3.6 to make room for all the AES transforms, so the new 4.0 client won't propose des/sha for Phase 2 anymore. If your PIX transform-set is set to this, then the connection will fail.

Look for the line like this:

crypto ipsec transform-set esp-des esp-sha-hmac

If it is des/sha, try changing it to des/md5, or better yet, 3DES licenses for PIX's have been free for quite a while now (apply here https://www.cisco.com//cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=1283) and use a 3des transform rather than des.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎11-07-2004 08:04 PM

The PIX crypto debug would be more useful here, as it will probably tell you exactly what's going wrong. The only thing that comes to mind is that we removed des/sha support in 3.6 to make room for all the AES transforms, so the new 4.0 client won't propose des/sha for Phase 2 anymore. If your PIX transform-set is set to this, then the connection will fail.

Look for the line like this:

crypto ipsec transform-set esp-des esp-sha-hmac

If it is des/sha, try changing it to des/md5, or better yet, 3DES licenses for PIX's have been free for quite a while now (apply here https://www.cisco.com//cgi-bin/Software/FormManager/formgenerator.pl?pid=221&fid=1283) and use a 3des transform rather than des.

0 Helpful

Go to solution
pot51e
Level 1
Level 1
In response to gfullage

‎11-08-2004 01:22 AM

Thats the one, many thanks.

0 Helpful
Customers Also Viewed These Support Documents